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AMENDMENTS TO THE CLAIMS 

This listing of claims will replace all prior versions of claims in the application: 

1.-25. (Canceled) 

26. (Currently Amended) An intrusion detection syste m, implemented using one or more 
computers, for detecting unauthorised use of a network, comprising: 

a sniffe r, implemented using the one or more computers, for capturing data being 
transmitted on said network; [[and]] 

a pattern matching engin e, implemented using the one or more computers, for receiving 
data captured by said sniffer and comparing said the captured data with attack signatures for 
generating an event when a match between Ae captured data and at least one attack signature is 
found; and 

a response analysis engin e, implemented using the one or more computers and rr.ll 
triggered by said events for comparing with response signatures [[the]] response data being 
transmitted on said network as a response to said data matched with said at least one attack 
signature and for correlating [[the]] results of said comparisons with attack and response 
signatures for generating an alarm. 

27. (Currently Amended) The system of claim 26, wherein said response data hems 

captured by said sniffer by performing an analysis of source IP address in data packets 
transmitted on said network. 
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28. (Currently Amended) The system of claim 26. wherein said response data being 

transmitt e d on said network as a rospons e to said data match e d with said attack signatur e is 
captured by said sniffer by performing an analysis of both source and destination IP addresses in 
data packets transmitted on said network. 

29. (Currently Amended) The system of claim 26, wherein said response data bang 



captured by said sniffer by analysing transport level information in data packets transmitted on 
said network. 

30. (Currently Amended) The system of claim 26, wherein said response analysis engine 



generates [[an]] ^ alarm when said response data being transmitt e d on said network as a 

rosponso to said data matched with paid attack oignature indicates that a new network connection 
has been established. 

3 1 . (Previously Presented) The system of claim 26, wherein said response signatures are 
arranged in two categories, response signatures identifying an illicit traffic, and response 
signatures identifying legitimate traffic. 

32. (Currently Amended) The system of claim 31, wherein said response analysis engine 
generates [[an]] tiie alarm when a match between captur e d the response data and a response 
signature identifying ilUcit traffic is found. 

33. (Currently Amended) The system of claim 31, wherein said response analysis engine 
comprises a counter which is incremented when a match between captur e d the response data and 
a response signature identifying legitimate traffic is foimd. 




rospons e to said data match e d with said attack signature is 
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34. (Previously Presented) The system of claim 33, wherein, when said counter reaches a 
predetermined value, said response analysis engine terminates without generating any alarm. 

35. (Previously Presented) The system of claim 26, wherein said response analysis engine 
comprises a time-out system triggered by said event for starting a probing task. 

36. (Currently Amended) The system of claim 35, wherem said probing task verifies if any 
data has been detected on said network as [[a]] Ae response to said data matched with said at 
least one attack signature and, if such condition is verified: 

generates [[an]] tiie alarm in case only response signatures indicating legitimate traffic 
have been used by said response analysis engine; or 

ends the probing task in case only response signatures indicating illicit traffic or both 
response signatures indicatmg legitimate traffic and ilUcit traffic have been used by said response 
analysis engine. 

37. (Currently Amended) The system of claim 36, wherein, if such condition is not verified, 
said probing task attempts to perform a connection to a suspected attacked computer, for 
generating [[an]] the alarm if such attempt is successfiil, or for ending the probing task if such 
attempt is unsuccessful. 

38. (Currently Amended) A method performed using one or more computers for detecting 
imauthorised use of a network, comprising the st e ps : 

capturing dat a, using the one or more computers, being transmitted on said network; 
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comparing said the captured data Avith attack signatures for generating an event, using the 
one or more computers, when a match between fee captured data and at least one attack signature 
is found; and 

when triggered by said event[[;]]i 

comparing with response signatures [[the]] , using the one or m ore comT)uters. 
response data being transmitted on said network as a response to said data matched with 
said at least one attack signature; and 

correlating [[the]] results of said comparison s, using the o ne or more computers, 
with attack and response signatures for generating an alarm. 

39. (Currently Amended) The method ofclaim 38, wherein said respraise data b«Hg 

captured by performing an analysis of source BP address in data packets transmitted on said 
network. 

40. (Currently Amended) The method of claim 38, wherein said response data being 

captured by performing an analysis of both source and destination IP addresses in data packets 
transmitted on said network. 

41 . (Currently Amended) The method of claim 38, wherein said response data bemg 

tranomittod on oaid netw^ork ao a rooponoo to said data matohod with paid attack oignature is 
captured by analysing transport level information in data packets transmitted on said network. 
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42. (Currently Amended) The method of claim 38, comprising the step of generating [[an]] 
the alarm when said response data being transmitt e d on said network as a r e sponse to said data 



43 . (Currently Amended) The method of claim 38, wherein said response signatures are 
arranged in two categories, response signatures identifying illicit traffic, and response signatures 
identifying legitimate traffic. 

44. (Currently Amended) The method of claim 43, comprising the step of generating [[an]] 
the alarm when a match between e^tared the response data and a response signature identifying 
ilUcit traffic is found. 

45 . (Currently Amended) The method of claim 43, comprising the step of incrementing a 
counter when a match between ©i^teed the response data and a response signature identifying 
legitimate traffic is found. 

46. (Previously Presented) The method of claim 45, wherein said step of comparing data 
with response signatures is terminated when said counter reaches a predetermined value. 

47. (Previously Presented) The method of claim 38, comprising the step of providing a time- 
out system, triggered by said event, for starting a probing task. 

48. (Currently Amended) The method of claim 47, comprising the step of verifying if any 
data has been detected on said network as a response to said data matched with said at least one 
attack signature, and, if such condition is verified: 

generating [[an]] &e alarm in case only response signatures indicating legitimate traffic 
have been used; or 




indicates that a new network connection has been established. 
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ending said probing task in case only response signatures indicating illicit traffic or both 

response signatures indicating legitimate traffic and illicit traffic have been used. | 

i' 

49. (Currently Amended) The method of claim 48, wherein, if such condition is not verified, 
said probing task attempts to perform a connection to a suspected attacked computer, for 
generating [[an]] fee alarm if such attempt is successful, or for ending the probing task if such 
attempt is unsuccessful. 

50. (Currently Amended) A computer readable medium encode d with a computer program i 
product oapablo of boing loaded loadable into a i&#te memory of at least one computer^Jie 

computer program product mi including software code portions for performing the method of ! 
any one of claims 38 to 49 when tho product io oapablo of boing run on a computer . 
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